Cracking the Code Episode 25

0:06
Welcome to the official 25th edition or episode of Cracking the Code.

0:11
Wow.

0:11
I mean, that’s a milestone.

0:14
That is a milestone right there.

0:15
I have to say I’m excited to be joining you all today.

0:18
My name is John Deering.

0:20
I had a marketing over here at Clear Data and I’m excited to be joined by Chris Bowen, who’s our our founder and and CISO and Charles Cedar, who is our Chief Services Officer.

0:33
And today we’re going to talk about one of the biggest challenges in cybersecurity, which is having the right skills and the right capacity within your organization to address these challenges.

0:46
You know, I was doing a bunch of research and we’ll get into that, but it seems like this is a, a hole that we’re always trying to dig ourselves out of, right?

0:53
And we can look at, you know, you go back to things like change healthcare earlier this year, right, where somebody didn’t turn on MFA, whoops, biggest cybersecurity incident in the history is the history of just healthcare history of, of the world, right?

1:11
I mean, we can add two of those, didn’t we, John?

1:14
Yeah, well, yeah, that that’s one of them, right.

1:16
But, you know, and, and we talk about, you know, where are the biggest source of, of miscon of incidents that lead to breaches are misconfigurations, which are commonly driven by human error, right.

1:28
And so it, it, it’s a really interesting challenge that it seems is persistent and ongoing in in this industry.

1:36
So as I mentioned, I was looking at some reports and they’re essentially saying that, you know, the, the capacity for staff it, it has stalled.

1:43
It hasn’t grown year over year.

1:46
This is some of the ISC 2’s recent report.

1:49
But also that these organizations are saying, you know, their biggest challenge, 9 out of 10 are saying this is the skills that the team has, not the level of staffing that they have.

1:58
2/3 of them say that it’s, it’s more skills than than staffing.

2:02
So I’m curious, maybe Charles will will jump off with you as you know, kind of running the people who do this for, for our customers.

2:13
Like what do you think is the biggest thing that that creates that gap or widens that gap within the, you know, the in internal teams that are trying to, you know, solve these for their organizations and for healthcare organizations in particular?

2:27
Yeah, I mean, John, I can share with you, I, I talked to a lot of customers and a lot of Csos and a lot of I was just out with a customer last week and we were talking about this.

2:34
And I think you’ve got 2 of potentially 3 dimensions that are on their mind right now.

2:39
There’s one can can I find the people, you know, wall some of the hiring may be a little flat out there.

2:46
The people are still in demand.

2:47
This is a space that, unlike other spaces within this type of work, continues to demand those type of resources because the the threats aren’t aren’t going away.

2:57
I think that’s kind of the third component.

2:58
We should talk about the second component.

3:01
So you know, how do I go get those people, how to recruit them?

3:03
How do I make sure that that they’re coming in?

3:05
The second part is, you know, with my established staff, how do I make sure that they’re current in their skill set?

3:11
You know, there’s a big thing that’s going around now, as you can see, like with the federal government talking about how do I get more cybersecurity people in, don’t need a degree requirement, need a certification requirement, these type of things like that.

3:21
And what you find is, you know, with a lot of the certified certifying bodies I was looking at the other day, there’s over 700 certification types that you can find in this space.

3:31
How do you just keep current with that, especially as operators are heads down doing their business?

3:36
If you’re in a sock, right, you’re in a sock working really hard, right, to avoid these things to try to try to really get past it.

3:42
When do I get the time for the training given the workloads that are out there?

3:45
So I you know, I see that definitely.

3:47
But the other one that that I think is going to throw this all up and he won’t, Chris, I think you would have an interesting perspective is the fact with AI marching in the way that it’s marched in where it used to be.

3:58
Threat actors could come in, right, and kind of one-on-one try to try to try to come in, whether either the threat actor was manipulating a person or even, you know, kind of clumsy work in in, in the way that was going on.

4:11
Now you have AI coming in as a threat actor that changes what your people need to know because they’re competing against a different type of player.

4:19
So, you know, I think that as, as I talked to to customers, as I talked to peers in the organization, those are really the three things that are top of their mind as they start to think about how do I really stay safe, especially in a place like ours with Phi and other data.

4:31
That’s really important.

4:32
I don’t Chris, what do you think about AI?

4:34
I mean, it’s a it’s a game changer for sure.

4:37
It it’s almost like a reboot in terms of the things that you mentioned.

4:43
John and Charles, I’ll, I’ll go back to the certification.

4:47
Just keeping it on top of your certifications is a daunting task.

4:52
You, you talked about the workload in a SoC.

4:56
You talk about workload and and technical debt remediation, all these other things.

5:02
When do you have time to do that?

5:04
I’ll tell you my method is my, my Reuben method is always to wait till the very end and then try to wonder how did I put myself in this situation again this year?

5:14
But but seriously, the cybersecurity landscape is a totally different 1 from 2 years ago, completely different because we have that, that AI threat also it’s an ally.

5:31
So it just depends on what side of the coin you’re on with that.

5:34
But if we’re not teaching our people how to, how to understand and know what an, an artificial intelligence workload or solution looks, what it looks like, we need to be doing that.

5:48
Because if you don’t know what you’re you’re guarding, you don’t know how to protect it.

5:53
Yeah, You know, you said something that was really interesting there, Chris, ’cause I, I, there is two sides to that coin, right?

5:59
You know, I, I think as security professionals, we obsess about the, the one side, which is the people coming towards us, right?

6:04
And, and what’s happening with autonomous bots, right?

6:07
And, and coordinated bots and that type of stuff.

6:09
But, but how do we, how do we as defenders, right, use those type of things?

6:14
And the, the, the thing that’s starting to come up around that is I think the marketplace around certification and knowledge is actually lagging towards what’s going in there because you think about how quickly those tools are changing, right?

6:25
There was just a new version of ChatGPT that just dropped that are just really blowing people’s minds.

6:30
And there’s nothing there that are helping the good guys train the good guys in order how to use that effectively against the bad guys where, you know, the bad guys are already running down to, to try to figure out those exploits in, in.

6:44
And I, I think it’s really puts a lot of pressure on the organization, right in the context that you don’t have these outside things you could rely on.

6:53
It could be, you know, to your point, Hey, go, go get your recertification or go get your new certification Now.

6:57
It’s like you just got to keep up every day and, and make that a thing to keep up with the trends in AI, keep up with the trends and operations, the 700 or so configurations that are available in the cloud and the thousands that change every year.

7:10
Right, back to what John was talking about, the misconfigurations that allow those leakage, then I got to worry about kind of all the security stuff that’s going in there.

7:17
And I think the complexity, you know, has just multiplied and will continue to multiply as, as, as we go along.

7:24
Yes, the combinations and permutations that’ll get you.

7:28
What’s really interesting in some of this research in the the World Economic Forums 2024 was a global cybersecurity work outlook.

7:37
They talked about more tech, more tech, but it exacerbates the problem.

7:44
And like you were saying, Charles, right now, you got to keep up with the tech that you’re trying to use, which is another level of skill set you have to do.

7:52
And what’s interesting is we’re seeing that trend now and we just did a research report for the 2024 state of healthcare or cloud security and compliance posture.

8:02
And our respondents said over half of them said that anywhere between 20 to 40% of their IT budget is going to tooling and training, right?

8:13
So, so are, are, are, are they thinking about this the right way?

8:16
Are they thinking about solutioning and solving this threat?

8:20
This, you know, it feels like this is a tsunami, right?

8:22
That just keeps higher and higher.

8:23
But, but are they, is, is that the right approach in your opinion?

8:26
Like, I mean, exacerbating, I, I think the question in your, your stat there is what percent is tooling and what percent is training, because typically they’re not, you know, at a, an equal value, right.

8:38
When you start to think about what people do, there’s a lot more OJT then there is kind of the, you know, the functional classroom, you know, type of activity that goes on that way.

8:47
You know, I, I, I wonder sometimes, you know, as you start to think about this, do you have to run, you know, A2 speed type of security and, and operations.

8:56
You run 2 speed operations, right?

8:57
All the, the, the antiquated stuff and all the new stuff you want to run, right?

9:00
So being in a, being in a data center where it’s all kind of old and, and, and probably not as established as being in the cloud.

9:06
And you know, a lot of I, I was talking to the CSO of a multi billion dollar pet food company, somebody I’ve worked with in the past, and he’s the one that brought that ocean up to me, which is, you know, as you start to think about these new frontiers, it’s not just enough tooling in the training, but is the thought process different also that you have to have as you use some of these more advanced or you’re going after more of these advanced opportunities with their it’s not enough to integrate copilot into outlook and say, hey, I’m, I’m, I’m doing this.

9:33
You really have to know how to use those tools.

9:36
And is that different than the traditional way that you would use security tools, although both would be warranted because I, I do go back to what you said earlier and, and where a lot of these breaches come from or a lot of these issues come from that are out there, right.

9:50
So you you look at you look at what happened to actually the biggest lock up that ever happened.

9:54
That was promoting code right in in a it wasn’t really a the crowd strike problem.

9:59
Yes, exactly.

10:00
Let’s just call it what it was.

10:02
Yeah, and, and exactly, Chris, and and it wasn’t a security problem.

10:06
It was it was a code problem that wasn’t scanned the right way right upfront.

10:09
Due diligence wasn’t done before it got into production.

10:12
And that’s, you know, that’s, that’s in part a security thing, but it’s a, it’s a good hygiene.

10:16
You look at, you look at what happened with MFA, that’s a human activity.

10:22
And so, you know, the, the confines of really how you have to run.

10:26
This really starts to become like a three dimension chess game.

10:30
And it’s, it is training.

10:31
It is that.

10:31
But I also think the way that that we said it’s kind of flat in how you do it, you, you really need to understand how do you get the right people at the right place at the right time?

10:40
And that’s that’s a great point, Charles.

10:43
Sorry.

10:44
Go ahead.

10:46
No, that was it.

10:47
It was the conundrum.

10:48
Who was it?

10:49
Yeah, it was having a conundrum of conundrum.

10:51
We’re back from this commercial break, Right.

10:54
Oh, I was going to point that to you, Chris.

10:57
Like, when you think about that and how and how you see seesos, you know, you’re in the seat.

11:01
You’re the guy in the seat, so to speak.

11:03
Or or person.

11:04
No, it’s true.

11:05
I am in the seat.

11:06
You’re right.

11:07
Here’s the thing.

11:08
You know, Charles said something that was poignant.

11:11
You got to get the people.

11:13
And so let’s just talk about that for a second.

11:17
You don’t just magically get the people you got to, you got to have recruiters that are out there finding people with the the talent.

11:24
In many cases, you have to train the recruiters to understand what they’re supposed to look for.

11:29
And then of course, once they, we get a couple of candidates of the proverbial we, if you will, then you’ve got to understand, is this what we, is this what the the hiring manager wants?

11:41
OK, great.

11:41
Now we got to look at the documents.

11:43
And I have an emphasis on the, on the, on the subject matter.

11:48
You got to look at the documents HR.

11:50
So you’ve got to make sure your, your entire ecosystem of people who are trying to bring people into the organization, do their jobs, Make sure that they’re looking at the documents, make sure that they’re hiring who they say they’re hiring.

12:03
Make sure that we are vetting these people, you know, in a way that that is healthcare ready because we’re not, we don’t have the tolerance or the time to think about do I trust this person?

12:15
Do I not is this person who he or she says they are or not.

12:21
So we we’ve got to really just go all the way down the line, right, Charles, to determine who’s coming into into your organization’s so that we can be protected all the way through that life cycle.

12:33
100% yeah.

12:34
And, and you know what that makes me wonder about Chris, and I don’t know what your take is, but you know, when you start to think about the complexity, right, there’s the complexity.

12:42
You just said, like, how do I get people that’s that’s complex, right?

12:45
And not even that, like you get to the finish line and they’ve got another offer somewhere else, right?

12:49
And so now it changes that little thing, right?

12:51
You’ve been there, I’ve been there.

12:52
You get into the complexity of how do I guard the stuff that’s been around before and probably needs the standard way to do it.

12:59
How do I guard the new stuff right and get kind of the advanced force put together?

13:03
You know, how do you look at how do you look at, you know, the point of when that’s not really your core competency?

13:08
What do you do?

13:09
Like, you know, if I’m, if I’m, if I’m a health tech and, and I’m putting out a new product and I’m, I’m out there really trying to help shape patient records to be able to do pre auth right at the end of the day.

13:20
And security isn’t really my, my, my big thing, right?

13:23
At the end of the day, It’s not all this is hard, but it’s distracting.

13:27
Where, where do you see So’s like you go at that point?

13:29
We, we, we hire people, we hire firms to come and help us.

13:34
It’s a partnership model.

13:37
There’s a reason that we have lots of vendor diligence happening is because we, we, we see someone who has their core competency, not necessarily on what, what we’re doing, but something we need.

13:47
So we hire that firm to do it.

13:49
And of course, we have to vet that firm and, and all the other things that go along with that.

13:55
And sometimes stakeholders internally will get feisty and say, why isn’t this done so quickly?

14:00
You know, well, sometimes there are layers of vendors who are relying upon one over the other over the other.

14:07
And so it’s not always an easy vetting process, but, but that’s, that’s how we do it.

14:13
Yeah.

14:14
I, I, I, I think it’s an interesting, you know, decision when, when you do that, because all those things that we’re talking about are things that are needed.

14:20
There’s, there’s no doubt, right?

14:22
Because even if you, you think about, you know, a lot of, a lot of companies I talked to talk about risk when it comes to cybersecurity.

14:30
I know you’ve covered this, you know, in the past and in conversations.

14:34
But then the real, the real thing that they’re starting to realize is, you know, 1 is a risk question, but 2 is what does it really do to my business if it happens?

14:41
You can say the risk of it happening, right?

14:42
But you can take a company where trust becomes something.

14:46
Cybersecurity is about trust.

14:47
I can trust you with the crown jewels of stuff and when the crown jewels get invaded, right?

14:53
Especially in healthcare where it’s not, it’s like a Social Security number or it’s not like a driver record or any of that where I can freeze my credit, right?

15:01
I can change my Social Security number.

15:02
I can’t change my healthcare data.

15:04
What I have and what, what is there is there where it really starts to become much more valuable.

15:10
And so you start to think about what it takes to do all that and the work that’s there.

15:14
I’m talking to a lot of companies where they’re, they’re looking and saying, you know, how do I get help here?

15:18
How I, I don’t know that continuously being the expert at 700 plus cybersecurity certifications, trying to figure out who’s got what, putting it in some tool to, to track some HR tool to track to do that.

15:31
And that they’re, they’re starting to look at other firms saying, listen, that’s your core competency as your core company and we expect excellence from you.

15:37
And how do you keep that excellence on our behalf?

15:39
I, I, I, I see a lot of that.

15:43
I mean, I, I can tell you in some of my, my other considerations, we, we always talk about the fact if it is your core competence, so you keep it.

15:50
If it’s not, it’s someone else’s and they should, they should really go do it and you should be able to enable that type of activity.

15:55
Yeah, I think you’re spot on, Charles.

15:57
One of the things that it takes me back to the health sector Cyber Council working group and, and we work on this, we toil on this topic all the time.

16:07
And one of the things that they put out and that’s I think it’s still on their website.

16:12
We’ll put the, the link here, maybe I don’t know, somewhere, we’ll put the link somewhere right across my big forehead.

16:21
And, and what they suggested was why don’t we start bringing them up from within, start to train them from within.

16:32
And, and what you, what you end up having is someone who’s loyal to the organization, someone who you trust because you’ve known them as they’ve come up, up into the ranks.

16:43
And, and that’s just one of the one other way that we can bolster some of our cybersecurity skill set.

16:50
Yeah.

16:51
And that’s an interesting, you know, correlation to your, your contribution to the Forbes Tech Council about how, you know, how do you advance that cause ’cause some of the other data I was seeing is showing that when, you know, cybersecurity leaders are hiring, they’re hiring, they’re having the hire at an advanced level.

17:10
There’s no junior entry level talent out there that you want to bring in that’s going to be in charge of securing all your data and preventing, you know, breaches from happening and, and OCR fines and all that kind of stuff, right?

17:21
And, you know, you don’t trust that to the kid down the street who might mow your lawn.

17:25
And so, you know, conceptually that means you have limited amount of, you know, headcount budget line items, right, Because you have to pay more for better talent.

17:33
So, you know, there’s that, that trade off of like, well, maybe I can get good talent, but I can only get a little bit of it versus, you know, I need, you know, like I said earlier, the, the demand and the supply side of this, there’s twice the capacity needed then then is available to support that.

17:49
So, you know, I, as you’re saying earlier, going out and find other, other partners and sound like that’s a really critical part for both retention, but also growth within the, the organization.

17:59
I’m, I’m curious how something like maybe someone from outside healthcare coming into healthcare for that, how that might look in terms of, you know, both the, the onboarding process and getting to closing that skills gap.

18:12
Is there a correlation between other industries and healthcare?

18:17
Does that create a wider gap that they have to cross?

18:19
What are your thoughts there, Charles?

18:22
I think that’s probably a you question since since you’ve worked, I’ve been exclusively healthcare for 20 years.

18:29
You know, I’d love to hear your perspective.

18:31
I’ve been in and out of healthcare for about the last decade and and a half.

18:36
I, you know, I, I think that what, what I think about what you said, John, is I, I think for all businesses there, there’s part of it, which is when a business gets locked up, right?

18:45
Let’s say it’s a ransomware attack or something like that.

18:48
There’s brand, brand damage that goes on.

18:51
There’s, you know, there’s, there’s fines, obviously, like, you know, I believe it was this year.

18:55
If you’re a public company and you have a breach, you now have to put it out in your your quarterly announcements, right?

19:00
So before you didn’t have to, right?

19:01
You could hide it if you wanted to.

19:03
And that was the way you ran your Business Today.

19:05
The transparency is out there.

19:07
I think more than that, what you run into a security professionals when you have those type of things is, you know, security professionals take a lot of pride in what they do, right?

19:15
They, they are, you know, for lack of a better way to say it, they’re the police of, of what we do, right?

19:20
They’re chasing the bad guys.

19:21
And when you have those type of problems, right, a lot of them will start to get restless where they’re at.

19:27
And so you see that across, across all industries.

19:30
I, I don’t think that’s, that’s unfamiliar territory.

19:34
I think that in different industries for different reasons, they would tell you why they’re special.

19:40
You know, as an example, I was in the travel industry just recently and we would say, you know, in, in a way that, you know, we had the most valuable data and you just say, well, why do you have the most valuable data?

19:48
Because I know where you’ll be tomorrow, right?

19:50
It’s valuable to somebody, right?

19:52
The data is all valuable to somebody.

19:54
I think for us in healthcare, you know, the, the, the challenge is, is the type of data we have, the type of records, the disruption to patient care is actually more than that.

20:04
You, you look at some of these things and you say there was an auto dealership platform that, that locked up a bunch of auto dealerships and you couldn’t get finance.

20:11
And it’s not life or death, But when you’re you’re going into getting a read as an example.

20:17
Let’s say you’re going in to get some type of cancer read from a radiologist or an attending, right from that perspective and all your records are locked up for you, that’s life and death it.

20:27
It absolutely is.

20:28
And whether it’s truly life or death or not doesn’t really matter at that moment to you, right?

20:32
When they can’t get to your records or you have delayed treatment of the rest.

20:35
And so when you start to think about healthcare, Healthcare is a very special place.

20:39
The security basics, you know, as you come into it, I think are, are relatively similar, right, in the way you’d want to kind of look at things, right?

20:47
I think the sensitivity, the sense of urgency, the, the amount of focus you have to have is amplified in healthcare because of those reasons, because when something happens, it’s much more amplified.

20:58
And so when I see security professionals come in out of other organizations or other groups, they really have to kind of change.

21:05
It’s, it’s almost like I was talking to somebody the other day about this.

21:09
It’s almost kind of like going from college to professional.

21:11
It’s just much faster.

21:13
It’s much more hard.

21:14
The hits are harder.

21:15
Everybody’s at their A game.

21:16
It’s the top of it.

21:17
And so I think a lot of it is really, you know, about a mindset.

21:20
And so you go back to what we originally started talking about training and development.

21:23
You know, part of this, do I have the right certifications?

21:25
And the rest part is, can I use whatever tooling that you’re using?

21:27
But part of it is, am I ready for game day every day?

21:31
Every day.

21:31
That’s what Healthcare is.

21:32
Yeah, good points.

21:35
Yeah, that makes me think you were talking earlier about the, the importance of, of medical records as they, you know, they follow you throughout your life versus, you know, other things you can change.

21:44
I can change my name if I want to.

21:46
Well, in fairness, you can change a medical record.

21:48
It’s just not good for you.

21:50
Yeah, it’s a bad thing.

21:52
But I mean, you know, what was it the CMS notified that there was, was it Medicaid or Medicare breach?

21:58
I think it was early.

22:00
I think it was something like close to 1,000,000 million members, right?

22:04
And arguably some of the most vulnerable out there, right?

22:07
Susceptible scams and things like that.

22:09
So not only, you know, hey, I can’t get my my cancer treatment today, but you know, now the people know how to use that.

22:16
You know, something about calling, pretending that my kid is, is lost and I need to wire the money and, you know, they’ve got, you know, your aspirations and your biggest fears in their pocket, right.

22:26
And and, you know, that member or that section of our our population is a lot more susceptible to to those types of things.

22:32
So, yeah, it just gets scary and compounds more and more, which I think to your point, Charles emphasizes the need for the sense of urgency around that stuff.

22:40
It’s not like, you know, they sold my credit card number.

22:44
I’ll go shut it down and get a new one.

22:46
And I do this every year kind of thing like this is, this is, this is life and death for, for, for some people.

22:52
So, so great.

22:56
I, you know, I, I really appreciate your old sign.

22:58
I think we had a, a really enlightening conversation about the importance of protecting this information and really understanding how to close the, the skills gap and the importance of, of different options for doing that.

23:08
So, Chris Charles, thank you both for joining us for our 25th episode.

23:14
You know, pun intended here.

23:16
No silver bullet solution here other than to make sure you can get access to the the best, best resources and skill sets that you need to protect the the patient data.

23:27
Yeah, I said pun intended, Chris.

23:29
I do.

23:29
I got it.

23:31
So, so great.

23:33
Thank you all both.

23:33
Again, for everybody tuning in, make sure to check back.

23:37
We have cracking the codes being released every every so often.

23:41
So we try to keep a good pace here going.

23:43
But we invite you, you know, reach out if the topics you want to hear us talk about, please, please do that.

23:48
And we look forward to talking with you soon.

23:51
So thanks again, everybody.

23:53
Thanks, everybody.

23:54
Thanks all.